The September 11 terrorist attacks shocked the world and immediately sent the energy industry scrambling to assess its vulnerabilities. However, a year after the attacks, the burning questions remain: How can we prevent disaster, and if disaster does strike, how can the effects be realistically mitigated? "It's only a matter of time before something scary happens to us," predicts one Texas-based oil executive. "There are plenty of terrorist groups out there of all nationalities, but the guys who perpetrated the September 11 attacks were from the Arab world. Nobody understands the value of oil better than the Arabs, which makes this whole industry a bunch of sitting ducks. Believe me, if these guys want to make a statement-and obviously they do-what better target than oil? "Cut off oil imports to the U.S., and we're in deep economic trouble. Attack pipelines or production facilities, and we've got serious problems. Blow up a couple of refineries, killing more Americans, and they'll be screaming victory while we wonder how things could have gone so horribly wrong." Lacking a sense of clear direction, the U.S. oil industry immediately turned to the federal government for reassurance, protection and solutions to security risks. The Department of Transportation's Office of Pipeline Safety instructed pipeline operators on how to increase security. The Department of Energy removed all information about the Strategic Petroleum Reserve from the public eye. The Homeland Security Office was created-not yet a Cabinet-level agency, but with a proposed 2003 budget of about $40 billion and the sole objective to counter threats on U.S. soil. It issued a color-coded alert system for potential terrorist attacks, a move applauded by organizations like the American Petroleum Institute (API) as a "simple and uniform way of knowing how to evaluate any report of a threat to facilities and the surrounding communities." Since September 11, several industry trade groups have formed committees on security or beefed up existing ones. Corporations have looked anew at their safety precautions and crisis-response programs. Most are reluctant to discuss these measures publicly. The API has taken thousands of actions designed to further enhance the security of pipelines, refineries, oil and gas platforms, and other facilities and launched an initiative to address security concerns. API touts itself as the "oil industry security alert distribution point" as a short-term solution and supports the Energy Information Sharing and Analysis Center (ISAC), an industry group, as a longer-term solution. It will incorporate the color-coded warning system into its own guidance and suggests energy companies do the same. "Government and industry should work together to develop a process that ensures the sharing of relevant information," says API security team leader Kendra Martin. "In theory, that's a good idea," says one corporate security director, "but the process is not streamlined or effective yet and the amount of information-sharing leaves a lot to be desired. The API is good at a lot of things, but I wouldn't go to them first with my security concerns. I see them as more of a legislative helper than as a clearinghouse for good security information." The American Gas Association (AGA) also devotes considerable resources to security initiatives. "What might surprise you is that we've had an infrastructure security committee in place since the Gulf War," says Daphne Magnuson, AGA director of public relations. "Many of our member companies have had strong security programs in place since the 1960s." In addition to the AGA Natural Gas Security Committee, which began focusing on security issues in the early 1990s, the organization formed its Committee on Security Integrity and Reliability after September 11. Made up of chief executive officers and senior management, it oversees the Natural Gas Security Committee's work, focusing on security and reliability, assessing vulnerability and exchanging industry information. "All kinds of policy goals have been advanced in the name of oil security," says Michael Toman of Washington, D.C.-based Resources for the Future. "They range from drastic increases in vehicle fuel economy to increased funding for wind energy to proposed drilling in the Arctic National Wildlife Refuge to political jawboning of Mexico to increase supplies and eschew cooperation with OPEC. Some of the proposals wrapped in the mantle of oil security-in particular the notion of eliminating oil imports-have been plain silly. More broadly, debate on energy security options has been hindered by a lack of clear understanding concerning the different components of the energy security problem and their often-contrasting policy implications." Private-sector assistance to mitigate risk in the energy sector has increased probably five-fold since September 11, says one security consultant. "Oil companies are using the government and nonprofit organizations where they can, but they are relying more heavily than ever on their own private intelligence-gathering networks and their in-house and hired-in security consultants. I've never seen the amount of information sharing on security issues like I've seen since the World Trade Center attacks. The industry is pulling together to support each other, and so far it seems to be working." One such organization is ISAC, which provides a mechanism for private energy-security professionals to anonymously share an industrywide database of electronic security threats, vulnerabilities, incidents and solutions. Members of this private-sector partnership, from companies such as Conoco, BP, Duke Energy and El Paso, voluntarily report information. Once in the database, it is analyzed by security specialists and reported, depending on the seriousness of the cases, as "alerts" to its members in "near-real time." "Member anonymity is key to obtaining industrywide cooperation," ISAC says. The organization will not reveal names of members nor will it disclose the location of the ISAC facility, although the organization says its facility is "physically secured" and "operated remotely." Government agencies and law enforcement officials may submit information to the database, but they cannot access any data. "This program demonstrates that industries can, if they have the will, overcome the natural tendency to avoid sharing potentially embarrassing information," says Alan Paller, a cofounder of CIO Institute, a nonprofit fostering information exchange among chef information officers in very large organizations. Risks offshore Since September 11th, a number of vague threats to strike various targets, including nuclear power stations, the Brooklyn Bridge, banks and apartment buildings, have kept corporate security personnel on alert. The threat of diver-based terrorist activity specifically has caught the attention of offshore platform operators in the Gulf of Mexico. "The Gulf of Mexico is vulnerable," says David McDaniel, operations advisor for ChevronTexaco in Houston. "There are limited military patrols except for some fly-overs by military aircraft and Coast Guard cutters that make the rounds. The oil industry bends over backwards to keep the fishing industry happy, and that includes letting fishing boats tie up to rigs-some of the best fishing is around platforms." The practice is widespread, but it is a cause of concern because it is possible that a diver or fisherman could deposit explosives on a platform. Says McDaniel, "Rig workers are very observant these days. If anything looks suspicious, we have ways to chase them off." Under maritime law, offshore facilities are required to provide assistance to any vessels in the vicinity that are "in need." Not to be discounted are scenarios involving requests for false assistance from purportedly distressed vessels that ask to be tethered to offshore installations and/or that request to allow their passengers to board an offshore facility while they await help from authorities. "I suppose this could happen," McDaniel says, "but we feel confident we can rely on the Coast Guard to provide quick response in emergency situations." The Coast Guard has stepped up its security efforts, enacting Operation Noble Eagle, a joint agency coordination involving a heightened state of alert to protect U.S. water assets from possible terrorist activities. It has mobilized more than 2,000 Reservists in the largest homeland defense and port security operation since World War II, the Coast Guard says. "The Coast Guard has increased its vigilance, readiness and patrols to protect the country's 95,000 miles of coastline, including the Great Lakes and inland waterways. An increased presence will prevent and deter those who would cause harm to innocent Americans." McDaniel could not comment on specific measures in place to protect offshore facilities. "Somebody who knows what they are doing doesn't have to bring anything offshore-they can screw up the system from a remote location. However, because of the measures we have in place, the loss of life and property as well as any potential environmental damage would probably be minimal." Pipelines, especially those above ground, are also high on the target list for potential threat. Just 30 pipelines in the U.S. are responsible for transporting 90% of the country's natural gas. The nation's largest hydrocarbon artery, the TransAlaska Pipeline, carries 20% of the nation's crude oil. More than half the pipeline, or about 400 miles, lies above ground in unpopulated areas. Additional security may be necessary to protect the pipeline, according to Alaska Governor Tony Knowles. "We will use every means to find and punish those who jeopardize the safety and well-being of Alaskans, our environment and the oil facilities on which our jobs and economy depend," he said recently. The U.S. is not the only country at risk. By siding with the U.S., other nations, especially those in the Middle East, may also become targets of terrorism. Via pipelines from Algeria, Spain imports 75% of its natural gas, Portugal imports 100%, and Italy 54%. Saudi Arabia's Ras Tanura export terminal can pump up to 5 million barrels of oil a day into supertankers. "It is perhaps the most frightening terrorist prospect," comments Andrew Stewart, a U.K.-based geopolitical forecaster who advises blue chip companies, governments, the military and presidents on the impact of international relations on business. "Oil facilities clearly make attractive targets," he says. "A large oil tanker carries at full load upwards of 38 million gallons of crude oil. Even smaller shuttle-type tankers can carry 500,000 or more gallons of oil." Risks abroad Now is the time to protect against future attacks, says Will Gunther, president of Virginia-based Operation Corporate Training, an international security and training consultancy. Terrorists and criminals look for weaknesses, he notes, and the best prevention is the strengthening of facilities and to become expert in what he calls "Hard Target." (See box.) "Hire experts with knowledge in more than just security," he advises. "Hire experts with a military background in conducting small unit attacks such as Special Operations. The best way to catch a thief is to think like one." The most important point to remember, according to Gunther, is that "nothing happens without surveillance. No matter what type of crime takes place, the criminal has observed his attack location." Gunther is adamant that organizations thoroughly train staff, from the receptionist to the CEO, and provide all personnel with training in recognizing people out of place and situations warranting further investigation. "The Israeli government thwarts 86% of its potential attacks through reports from average citizens," he says. Many corporations worry about the cost of implementing security measures, but Gunther maintains that the most cost-effective way to provide security is to focus on procedural changes within the existing workforce, and training that force to be its most effective. "The biggest mistake most companies make is spending large amounts of money on technical equipment and more low-salary, untrained guards," he says. With the focus now shifted toward guarding oil installations, companies must be careful not to let their guard down on personnel security, says Mike Benson, Apache Corp. director of security. International travel can become a minefield of danger if the proper precautions and personal education are not taken. "Pre-travel briefings are essential," Benson says. "So are concrete evacuation plans, which are well-rehearsed and -established. Know what you are walking into. Know with whom you are dealing. That's what a good security advisor is for." Benson has published a handbook for international travelers that has become required reading for executives of many oil and gas organizations. "Sales of the book are going through the roof," he claims. "The traveler has to know how to respond to situations before they get out of hand. When you send someone overseas, he or she may be caught up in pre-travel preparations and not remember everything you've tried to cover beforehand. Give them this book to read on the plane." By 2020, it is estimated that more than 50% of total global oil demand will be supplied by countries that carry a high risk of serious internal instability, according to consultant Stewart. Civil wars, rebel factions, even roving bands of thieves are challenges that the modern oil company has faced. In some parts of the world, like Colombia, kidnapping is frequent, targeting the perceived "rich and powerful" oil companies to make social statements, get press coverage or acquire assets that can be used as bargaining chips or as a source of additional funding. In April 2002, Colombia's Ejercito de Liberacion Nacional (ELN) rebels said oil companies would continue to be targeted "because they support the ruling oligarchy and offer nothing to the people. From now on, all property and all assets of these companies will be military targets and anyone who works for them does so at their own risk." Calgary-based Payne Gray Intelligence Network is now advising its clients active in Colombia to review current security measures and re-implement proactive measures. The company's Rapid Response Team has been put on a higher state of alert and is prepared for deployment within 12 hours. "The business of kidnapping is increasing," says Ted Constantini, Payne Gray director of special projects. "Those who operate in venues of high threat/risk but with the 'security' contingency of kidnap and ransom insurance do so under a delusion. No one would buy car insurance thinking that it increases the chances of accident avoidance. However, the irony is that the more kidnappings there are, the greater the risk; the greater the risk, the greater the need to insure against it; and the more insurance there is, the more lucrative kidnapping becomes. Insure people and they become targets. In fact, according to the U.S. Insurance Information Institute, kidnappings of foreign nationals between 1985 and 1999 increased 100% to 1,728-a figure widely held to be conservative." One fear at the moment, says managing director John Davidson of London-based Rubicon International Services, is not of large attacks or dirty bombs, but of kidnapping of U.S. or European staff in retribution for the war on terrorism or associated political reasons. "The difference since September 11 is that, while in the past, there was a fairly high certainty that any abduction could be resolved for money, there is now a high likelihood of being killed as part of a political statement," Davidson cautions. A prudent level of K&R insurance was probably seen as sufficient security pre-September 11. Now companies are very focused on protecting their ex-pat workers. "These concerns are sharpened by the increasing likelihood of litigation by the families of any victims and, in the U.K., by the recent introduction into law of a corporate manslaughter offense that holds directors personally liable for any death resulting from negligence or failure to properly protect employees," Davidson adds. Payne Gray cautions against spending far too much money on fences, safes, alarms and other purely defensive measures to protect operations and people. "Train your people," the company advises. "Establish security training programs at all levels, including awareness, security professional development, exercises and simulations. This will assist in providing vulnerability and threat early-warning capabilities." In a kidnap situation, Payne Gray uses a passive monitoring system called ManTRAX, which covertly monitors and gathers real-time intelligence as soon as a crisis occurs. "In the past, negotiators would have to wait to be contacted by kidnappers before they could gather information," Constantini says. Due to the nature of the ManTRAX technology, finding hostages or gaining valuable intelligence during a crisis has become easier. Global consciousness Risk mitigation isn't always about thwarting threats or dealing with danger. Security issues need to be addressed from a more esoteric view at the outset of business relationships to avoid the common pitfalls that lead to world tensions and their related business aspects, according to Rene Dahan, executive vice president of ExxonMobil. "No other institution other than private enterprise has shown itself as adept at creating a better material life for more people nor as capable of developing advanced knowledge and applying it to practical problem solving," Dahan says. He maintains that for business to have these beneficial effects, its "practices and principles cannot be compromised by either 'accepted' or 'expected' practices within any host country, and that business dealings must be fair, honest and free of corruption." Rubicon tries to persuade organizations to adopt an "indirect hearts-and-minds approach" to security, using the protection of the local population around a project to provide security rather than miles of wire and ranks of armed guards. "We continually see companies throw money at projects without really taking the trouble to understand the problem and ensure aid is properly targeted," Davidson says. "Companies will almost automatically build a school or a medical clinic. On Day One they will have 100 sick people outside the clinic and a year later they still have the same number in line. A closer look might have directed them to contaminated drinking water or poor sanitation, which would have been cheaper problems to solve and a more effective use of money. "Part of the problem is that it requires personnel with aptitude, experience and initiative to get under the skin of the local community and direct effective support-qualities not always found in the security personnel hired to make it work." Community development is not new, he adds. "But integrated with low-profile security and managed properly, it can work in the most high-risk areas."